FreeRADIUS HowTos

Getting things done quickly.

Protocol and Password Compatibility

Passwords may be stored in a DB in many forms. Clear-text, MD5
hashed, crypt'd, NT hash, or other methods are all commonly used.
Authentication protocols used in RADIUS are not always compatible with
the way the passwords have been stored. The following table shows
which protocol is compatible with what kind of password.

Legend

If the correspoding cell is green (i.e. has a '✓'
check mark), it means that the corresonding password storage method
and the protocol are compatible, and that authentication is
possible.

If the corresponding cell is red (i.e. has an 'x'), it
means that the corresonding password storage method and the protocol
are not compatible, and that authentication is not
possible.

Notes

For EAP-TTLS, look up the tunneled protocol in the above
table. For the purposes of this table, the tunneled session is just
another RADIUS authentication request. So for EAP-TTLS, with tunneled
PAP, look up PAP in the above table.

Similarly, PEAP normally contains EAP-MSCHAPv2 in the tunneled
session, so its row in the table is identical to the EAP-MSCHAPv2
row, which is in turn identical to the MS-CHAP row.

We do not list EAP-TLS in the above table, because it performs
authentication with certificates, and doesn't use passwords.

Gotcha's

Many people store passwords in their databases in hashed or
encrypted form. They later decide that they need to support an
authentication protocol that the above table shows is
incompatible with their password storage method. They then ask:

How can I make authentication protocol X work with passwords stored as Y?

The short answer is:

You can't.

The password hashes, and authentication protocols were designed to
be incompatible. If the cell in the above table is red, then it's
impossible to make the authentication protocol use
that form of the password. Your only choices are to stop trying to
use that authentication protocol, or to store the passwords in a form
compatible with that authentication protocol. The last choice often means asking all users to change their passwords, unfortunately.

Welcome!

RADIUS implementations can be complicated. This site contains a
collection of hints, documentation, and information for people who are
using RADIUS.